What Is SAML?
As Tracy David, a cloud client executive with CDW, notes in a blog post, SSO is a high-level term used to “describe a scenario in which a user applies one set of credentials to access multiple domains.”
SSO uses the Security Assertion Markup Language (SAML) protocol, which is an Extensible Markup Language standard that allows a user to log in once for affiliated but separate websites, David notes.
“Or in plain English, instead of using passwords to access systems, it uses highly complex encrypted keys, which the end user has no access to view or change,” he writes. “SAML is designed for business-to-business (B2B) and business-to-consumer (B2C) transactions.”
According to the website Security Boulevard, SAML is a standard authentication (and occasionally authorization) protocol which is most often used by SSO providers to relay credentials between an identity provider, which contains the credentials to verify a user, and a service provider, which is the resource that requires authentication.
Under SAML, a user, via a web browser, requests to log in to a service or app. The service defers its authentication to a specific identity provider (registered with the service). Then, the browser relays the authentication request to a registered identity provider for the login and authentication. Upon successful a credential check/ or authentication, the identity provider will generate an XML-based assertion verifying the user’s identity and will relay this to browser. After that, the browser will relay the XML assertion to the service or app. The service provider will take in that assertion as a “ticket” for entry and allow the user to get access to the service by logging them in.
“Said another way, using SAML, developers can leverage SAML plugins to ensure their app or resource follows desirable single sign-on practices to simplify their user’s login experience and ensure security practices are laid in place to leverage a common identity strategy,” the website notes. “That way, only an identity with the proper credentials/assertion can access an application. Additionally, SAML can be used to control what said identity can access in an application.”
Login.gov, the federal single sign-on project based out of the General Services Administration’s Technology Transformation Service, offers the public secure and private online access to participating government programs. With one login.gov account, users can sign into multiple government agencies. Login.gov is a standard SAML identity provider, adhering to the Web Browser SSO Profile with enhancements for NIST SP 800-63-3.
What Is OAuth?
OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol. But what is OAuth?
Rob Sobers, a software engineer specializing in web security at security software firm Varonis, notes in a blog post that OAuth is “an open-standard authorization protocol or framework that provides applications the ability for ‘secure designated access.’”
OAuth does not share password data but “instead uses authorization tokens to prove an identity between” users and service providers, Sobers writes. “OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password,” he says.
OAuth works over HTTPS and authorizes devices, application programming interfaces, servers and applications with access tokens rather than credentials, according to an Okta blog post. OAuth 2.0 is the more widely used format OAuth at this point.
For example, a user can tell one application that it’s OK for another website to access that application without giving the website the password for the application. That helps minimize risk, Sobers writes, because if the website suffers a data breach, the user’s password will remain secure.
SAML vs. OAuth
There are several key differences between SAML and OAuth.
“OAuth provides a simpler mobile experience, while SAML is geared towards enterprise security,” he writes. “That last point is a key differentiator: OAuth uses API calls extensively, which is why mobile applications, modern web applications, game consoles, and Internet of Things (IoT) devices find OAuth a better experience for the user.”
However, SAML “drops a session cookie in a browser that allows a user to access certain web pages — great for short-lived workdays, but not so great when you have to log in to your thermostat every day.”
Meanwhile, according to Security Boulevard, “OAuth is more tailored towards access scoping than SAML. Access scoping is the practice of allowing only the bare minimum of access within the resource/app an identity requires once verified.”